With cybersecurity attacks on the rise, companies must explore new ways to stay one step ahead of threat actors. IDG Research Services found that 78% of IT leaders are not confident in their companies’ security postures, which lead 91% of organizations to increase cybersecurity funding for 2021. As part of this increased focus, many companies are turning to ethical hacker groups to help prevent future attacks. In addition, more open-source developer tools are now on the market. This has made it easier for companies to work with ethical hackers, more so with bug bounty programs.

Recently, ethical hacker Alex Birsan targeted open-source developer tools. He broke into more than 35 different companies, including Microsoft, Apple, Netflix and Uber. In addition to earning $130,000 for his efforts, Birsan also uncovered dependency confusion, a new way attackers are launching supply chain attacks. Birsan shared a detailed account of his processes and outcomes in a Medium post.

What Are the Goals of Ethical Hacking? 

Ethical hackers such as Birsan often refer to themselves as white hat hackers or offensive security testers and researchers. They use the same methods and tools cyber criminals use to try to find and exploit gaps. While threat actors make money through theft, extortion and ransoms, clients pay ethical hackers to help defend against those attacks. The biggest difference is that ethical hackers attempt to breach and access systems with permission. Their intent is to be helpful. Meanwhile, attackers have no permission and have malicious intent.

Ethical hackers benefit the clients that hire them because they approach the project with the same mindset as an attacker. They aim to find out how to gain access and cause harm. However, their purpose is to find vulnerabilities in apps, infrastructure and open-source coding before attackers can. Organizations can then fix the issues before an actual attack or breach occurs. This can save a lot of money in time and reputation damage even after paying the ethical hacker.

Two Ways to Hire an Ethical Hacker

Companies often work with ethical hackers in two different ways.

First, they might hire an individual hacker or an ethical hacking company, typically for a specific purpose. For example, the company may request the hacker conduct a penetration test or attempt to break into a specific system. Remember the increase in supply chain attacks from open-source vulnerabilities we mentioned above. Many companies are asking ethical hackers like Birsan to specifically look for vulnerabilities in their software delivery systems.

It’s important to remember that when an ethical hacker is successful, they now have access to your data and infrastructure. Because you have to fully trust them with your systems, it’s essential to hire a trustworthy ethical hacker and to clearly define the boundaries for the project. It really is a Catch-22. If you don’t invite a white hat hacker into your most sensitive systems, you may be unaware of vulnerabilities attackers can exploit. While the cost of hiring an ethical hacker may seem high, it’s significantly less than the cost of recovering from an attack.

The Benefits of Bug Bounties

The other option is to set up a bug bounty program. Organizations can post on specific platforms for ethical hackers and announce a bug bounty program, which means the company sets up the parameters of the program and then pays the hackers for reporting vulnerabilities found in their systems. Each program is a bit different, with some being open ended while others have specific dates. Many bug bounty programs specify which systems to attempt to enter and how far the hackers can go once they gain access.

While you have significantly less control with a bug bounty program, you get a wider range of skill sets attempting to uncover vulnerabilities. With a single ethical hacker, you are dependent on that hacker’s expertise and tools. Additionally, bug bounty programs can be cheaper than ethical hackers because you pay for specific results, while consultants typically charge by the hour with bonuses for success.

Taking a Second Look

With increased reliance on the cloud due to the shifts in our daily habits from the pandemic and many companies still working full-time from home, the stakes of cybersecurity have increased. Even the best security professionals are limited in their ability to find vulnerabilities in a system they helped design and protect. By getting a second (or hundredth) set of eyes and minds to examine your systems, you are more likely to proactively prevent breaches from occurring.

More from Risk Management

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today